1apiVersion: kubernetes-client.io/v1
2kind: ExternalSecret
3metadata:
4 name: unthos-cfg-mgmt-read-ssh
5 namespace: talaria
6 labels:
7 app.kubernetes.io/name: talaria
8 platform.edge.ncr.com: 'true'
9 platform.edge.ncr.com/component: talaria
10spec:
11 data:
12 - name: ssh
13 key: unthos-cfg-mgmt-read-ssh
14 backendType: gcpSecretsManager
15 projectId: foreman-project-id # {"$kpt-set":"foreman-project-id"}
16---
17apiVersion: v1
18kind: ConfigMap
19metadata:
20 name: talaria-chariot-config
21 namespace: talaria
22 labels:
23 platform.edge.ncr.com/component: 'talaria'
24data:
25 # NOTE: these are not currently real/accurate values or placeholders
26 CHARIOT_ENDPOINT: https://chariot.edge.ncr.com # {"$kpt-set":"chariot-endpoint"}
27---
28apiVersion: kubernetes-client.io/v1
29kind: ExternalSecret
30metadata:
31 name: edge-api-iap-oauth2-client-id
32 namespace: talaria
33 labels:
34 app.kubernetes.io/name: talaria
35 platform.edge.ncr.com: 'true'
36 platform.edge.ncr.com/component: 'talaria'
37spec:
38 data:
39 - name: CHARIOT_AUTH_IAP_CLIENT_ID
40 key: edge-api-iap-oauth2-client-id
41 backendType: gcpSecretsManager
42 projectId: foreman-project-id # {"$kpt-set":"foreman-project-id"}
43---
44apiVersion: v1
45kind: Namespace
46metadata:
47 name: talaria
48 labels:
49 app.kubernetes.io/name: talaria
50 istio.io/rev: asm-181-5
51 platform.edge.ncr.com: 'true'
52 platform.edge.ncr.com/component: talaria
53 workload.edge.ncr.com: platform
54---
55apiVersion: iam.cnrm.cloud.google.com/v1beta1
56kind: IAMPolicyMember
57metadata:
58 name: talaria-folder-secret-manager
59 namespace: talaria
60 labels:
61 platform.edge.ncr.com/component: talaria
62 annotations:
63 cnrm.cloud.google.com/folder-id: folder-id # {"$kpt-set":"folder-id"}
64spec:
65 member: serviceAccount:talaria@foreman-project-id.iam.gserviceaccount.com # {"$kpt-set":"foreman-project-id-talaria-sa-setter"}
66 resourceRef:
67 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
68 kind: Folder
69 external: folder-id # {"$kpt-set":"folder-id"}
70 role: roles/secretmanager.admin
71---
72apiVersion: v1
73kind: ConfigMap
74metadata:
75 name: talaria-foreman-config
76 namespace: talaria
77 labels:
78 platform.edge.ncr.com/component: talaria
79data:
80 GCP_BILLING_ACCOUNT: billing-account # {"$kpt-set":"billing-account"}
81 GCP_FOLDER_ID: folder-id # {"$kpt-set":"folder-id"}
82 GCP_PROJECT_ID: foreman-project-id # {"$kpt-set":"foreman-project-id"}
83 PROJECT_BOOTSTRAPPING: 'true'
84---
85apiVersion: iam.cnrm.cloud.google.com/v1beta1
86kind: IAMServiceAccountKey
87metadata:
88 name: talaria-gcp-api-creds
89 namespace: talaria
90 labels:
91 platform.edge.ncr.com/component: talaria
92 annotations:
93 cnrm.cloud.google.com/project-id: foreman-project-id # {"$kpt-set":"foreman-project-id"}
94spec:
95 keyAlgorithm: KEY_ALG_RSA_2048
96 privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
97 publicKeyType: TYPE_X509_PEM_FILE
98 serviceAccountRef:
99 name: talaria
100---
101apiVersion: iam.cnrm.cloud.google.com/v1beta1
102kind: IAMPolicyMember
103metadata:
104 name: talaria-gke-cluster-viewer
105 namespace: talaria
106 labels:
107 platform.edge.ncr.com/component: talaria
108 annotations:
109 cnrm.cloud.google.com/folder-id: folder-id # {"$kpt-set":"folder-id"}
110spec:
111 member: serviceAccount:talaria@foreman-project-id.iam.gserviceaccount.com # {"$kpt-set":"foreman-project-id-talaria-sa-setter"}
112 resourceRef:
113 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
114 kind: Folder
115 external: folder-id # {"$kpt-set":"folder-id"}
116 role: roles/container.clusterViewer
117---
118apiVersion: iam.cnrm.cloud.google.com/v1beta1
119kind: IAMPolicyMember
120metadata:
121 name: talaria-gke-hub-admin
122 namespace: talaria
123 labels:
124 platform.edge.ncr.com/component: talaria
125 annotations:
126 cnrm.cloud.google.com/folder-id: folder-id # {"$kpt-set":"folder-id"}
127spec:
128 member: serviceAccount:talaria@foreman-project-id.iam.gserviceaccount.com # {"$kpt-set":"foreman-project-id-talaria-sa-setter"}
129 resourceRef:
130 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
131 kind: Folder
132 external: folder-id # {"$kpt-set":"folder-id"}
133 role: roles/gkehub.admin
134---
135apiVersion: apps/v1
136kind: Deployment
137metadata:
138 name: talaria
139 namespace: talaria
140 labels:
141 app.kubernetes.io/name: talaria
142 build.edge.ncr.com/commit: 5477ca2920e11ab6b4da631e89dcd5efb2c7613f
143 build.edge.ncr.com/id: "969381288"
144 build.edge.ncr.com/semver: 0.0.1-rc.969381288.5477ca2.2021-06-24
145 build.edge.ncr.com/timestamp: "1624568874"
146 platform.edge.ncr.com/component: talaria
147spec:
148 selector:
149 matchLabels:
150 app.kubernetes.io/name: talaria
151 template:
152 metadata:
153 labels:
154 app.kubernetes.io/name: talaria
155 spec:
156 serviceAccount: talaria
157 containers:
158 - name: talaria
159 image: us-east1-docker.pkg.dev/ret-edge-pltf-preprod-infra/preprod/talaria@sha256:b2375bd75ea47833d38e55659002b1e6105f33eb29f8c7310276cc923c97e7e2
160 envFrom:
161 - secretRef:
162 # not needed for top-level deployments
163 name: edge-api-iap-oauth2-client-id
164 optional: true
165 - configMapRef:
166 # not needed for top-level deployments
167 name: talaria-chariot-config
168 optional: true
169 - configMapRef:
170 # not needed in enterprise deployments
171 name: talaria-foreman-config
172 optional: true
173 - configMapRef:
174 name: talaria-git-config
175 env:
176 - name: NAMESPACE
177 valueFrom:
178 fieldRef:
179 apiVersion: v1
180 fieldPath: metadata.namespace
181 - name: GOOGLE_APPLICATION_CREDENTIALS
182 # key.json is default key name in IAMServiceAccountKey unwrapped
183 # secret
184 value: /opt/secrets/talaria-gcp-api-creds/key.json
185 resources:
186 requests:
187 cpu: 1000m
188 memory: 200Mi
189 volumeMounts:
190 - name: unthos-cfg-mgmt-read-ssh
191 readOnly: true
192 mountPath: /opt/secrets/unthos-cfg-mgmt-read-ssh
193 - name: talaria-gcp-api-creds
194 readOnly: true
195 mountPath: /opt/secrets/talaria-gcp-api-creds
196 imagePullPolicy: IfNotPresent
197 volumes:
198 - name: unthos-cfg-mgmt-read-ssh
199 secret:
200 secretName: unthos-cfg-mgmt-read-ssh
201 - name: talaria-gcp-api-creds
202 secret:
203 secretName: talaria-gcp-api-creds
204---
205apiVersion: iam.cnrm.cloud.google.com/v1beta1
206kind: IAMServiceAccount
207metadata:
208 name: talaria
209 namespace: talaria
210 labels:
211 platform.edge.ncr.com/component: 'talaria'
212 annotations:
213 cnrm.cloud.google.com/project-id: foreman-project-id # {"$kpt-set":"foreman-project-id"}
214spec:
215 description: Register clusters with GKE Hub & auth with Edge components over IAP
216 displayName: Edge Talaria Bootstrap Controller
217---
218apiVersion: v1
219kind: ServiceAccount
220metadata:
221 name: talaria
222 namespace: talaria
223 labels:
224 app.kubernetes.io/name: talaria
225 platform.edge.ncr.com/component: 'talaria'
226imagePullSecrets:
227- name: edge-docker-pull-secret
View as plain text